Proofs and Tools

innocentsickΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

92 εμφανίσεις

1

Cryptography:

Proofs and Tools

Gerard Tel

Dept of Computer Science, Utrecht

2

Talk overview


Part 1: Proofs


Definition and existence


Proofs with numbers


Numbers versus “Ad hoc”


Part 2: Tools


Signature schemas


Zero knowledge proofs


Secret Sharing

3

Cryptography:

The art of protection
using

information

To have or

not to have….

To know or

not to know

4

Two examples


Encryption (DES)


Alice sends email


y = E
k
(
x
)


Bob computes


x = D
k
(
y
)





Oscar knows no
k
:
which
D

function?


Identification with
One
-
way function
H


A gives Bank
b

=
H
(
a
)


Bank pays on seeing

a’

s.t.
H
(
a’
) =
b






O knows no
a’


5

Two more examples


Signatures


Alice signs
M

with
x


S

=
Sig
(
M, x
)


Bob verifies with
y


Ver
(
M, S, y
)



Oscar cannot
forge

S’

for
M’

s.t.


Ver
(
M’ , S’ , y
)


Public Key pairs


Alice holds secret
x


Bob holds public
y



Relation
P
(
x
,
y
)



Oscar cannot

compute

x

from
y

6

I recognize it when I see it ....


Encryption:

k


s.t.

D
k
(
y
) is text


Identification:
a’

s.t.

H
(
a’
) =
b


Signatures:

S’

s.t.

Ver
(
M’ , S’ , y
)


Key pair:

x


s.t.

P
(
x
,
y
)

7

…. But I don’t know it

8

Assumption: Factoring


Primes
p

and
q



(eg. 512 bits)


n

=
p . q




(1024 bits)



Given
n
, one recognizes
p

and
q



Assumption:

Given
n
, computing
p

is impossible

9

Assumption: Discrete Log


Compute modulo large
p

: 0, 1, …,
p
-
1


Element
g

has
order
:


1 =
g
0
,
g
1
,
g
2
,
g
3
, …
g
ord

= 1

Fix
g

of high order.



From
x
, power
y

=
g
x

is computable


Assumption:

From
y
,
x

s.t.
y

=
g
x

is not computable

10

Rabin’s encryption


Alice’

secret key:

p

and
q



public key

:

product
n


Bob

encrypts
x

as
y

=
x
2

mod n


Alice

decrypts as extracting square root



p

and
q

are needed!



Oscar

can not

extract roots

11

Square roots modulo
n


A square number has 4 roots


n

= 77 = 7.11 :


36
2

= 64 (1296 mod 77)


36
,
41
,
8
,
69

have square 64


Two pairs:
36 =
-
41

and
8 =
-
69


Combine from two pairs:
41

+
69

= 33


gcd(33, 77) = 11

12

Rabin: Provably Secure


If Oscar can find
x

from
x
2

=
y

mod
n


Select random
z


Solve
x

from
x
2

=
z
2


Prob.
1
/
2
:

x

and
z

differ:
find
p

and
q


Contradicts Factoring Assumption


Rabin is
cryptographically strong

13

Chosen Cipher text Attack


Procedure for CCA:


Oscar sends Alice
y
, obtains
x,
computes


Rabin is vulnerable:


Oscar sends
y

=
z
2


succeeds with Pr =
1
/
2


Decrypted messages as sensitive as key


Weakness inherent in strength

14

RSA: Alledgedly secure


Similar but use higher order roots.


Public key: (
n
,
e
)


Encryption
y

=
x
e


Decryption
x

=
y
d



(
d

from
p
,
q
)



e
th
-
rooting is
believed

but not
proven

to
be as hard as factoring

15

RSA Decryption


φ = (
p

-
1)(
q

-
1)


All
x

:
x
φ

= 1 (mod
n
)


From

p
,
q
,
n
,
e
,



compute
d

s.t.
e
.
d

=
k
. φ +1


y
d

= (
x
e

)
d

=
x
k
. φ +1

= 1
k

.
x

=
x



Secretly keep
d
, purge
p
,
q
.

16

RSA Keys are secure


Oscar finds φ from
n
:


p

+
q

=
n

-

φ + 1, solve
p
,
q


Oscar finds φ from
n
and
e
:


Simulate generation of
e

to do without


Oscar finds
d

from
n
and
e

:


n

e, d





p
,
q




Key protection is cryptographically strong

17

Ad hoc versus Numbers:

Hash functions


Map
H

: {0,1}
*

{0,1}
k


One
-
way:


From
y

=
H
(
x
),
x

cannot be found


Collision
-
free:


No
x
1
,
x
2

can be found s.t.
H
(
x
1
) =
H
(
x
2
)



Such
x
1
,
x
2

exist

18

Fair Guessing Games


Linda dates Jon if Jon guesses parity of
x


L chooses
x

and gives


y

=
H

(
x
)


J guesses even/odd


L reveals
x


Cheating


y

doesn’t reveal
x

to Jon


one
-
way


y

binds Linda


collision
-
free


19

Bit manipulation: MD5


How does it work


XOR, AND, OR words


Combine with
sin

bits


Four rounds in


Why does it work


Why four rounds


MD4 background


Why this combination


Attacks on variants



Why is it secure?


We don’t know

20

Discrete Log Hash (Chaum)


How does it work


Select
g
, random
h
.




:

f
(
x
,
x’
) =
g
x
.h
x’


Why does it work


log(
h

):
a

s.t.
g

a

=
h

will never be known


f
(
x
,
x’
) =
f
(
y
,
y’

)


g
x

. h
x’

=

g
y

. h
y’


a
=

(
x

-

y

)(
y’
-

x’
)
-
1



Cryptographically
strong collision free

21

Trapdoor Hash


Cheat in generation of
f
.


Select
h

=
g

a

instead of random
h
.


Collision:


g
x

. h
x’

=
g
x

-

a
.
z

. h
x’
+
z




Trapped
f

remains cryptographically
strong
one
-
way
.

22

Questions?

23

Gerard Tel, Part 2:


Cryptographic Tools:


Signatures


Zero knowledge


Secret Sharing

24

Digital Signatures


Alice signs message
M

:
S
=
Sig
(
M
,
x
)


Bob verifies signature
S
:
Ver
(
M
,
S
,
y

)


Validity:
Ver
(
M
,
Sig
(
M
,
x
),
y

)




Forgery: Oscar finds
M
,
S

:


Ver
(
M
,
S
,
y

)

25

RSA Signatures


Public/Secret key: (
n
,
e
) and (
n
,
d
)


Functions
x



x
e

and
y



y
d

are inverses



Sign
M

:

S

=
M

d


(compute)


Verify
S

:

S
e

=
M


(check)



Forge signature under
M

:


Invert RSA public function

26

Existential Forgery


Oscar: random
S
,
M

=
S

e
.



M

takes special form


………01010101010101


Hash of longer message

27

Blind Signatures


Alice signs one message without seeing it


Bob has
M
, selects blinder
b



Bob gives Alice blinded message
M’

=
M . b


Alice signs for Bob:
S’
=
M’
d



Bob unblinds: divide by
b

d
.

28

Blind Signatures


Alice signs one message without seeing it


Bob has
M
, selects blinder
b

=
k

e


Bob gives Alice blinded message
M’

=
M . b


Alice signs for Bob:
S’
=
M’
d



Bob unblinds: divide by
b

d


S

=
S’ / k


Similar:
Blind decryption

29

Zero knowledge proofs


Identification by secret


A gives Bank
b

=
H
(
a
)


Bank pays on seeing
a



If Alice shows
a
:

employee, eavesdropper become as powerful.



Alice proves to know
a

without showing

30

0KP of a Square Root


Alice holds
a
, Bob holds
b

=
a
2



Withdrawing of money:


Alice selects
s

=
r

2

and gives Bob
s


Claim: I know roots of
s

and
s.b



This is true

namely
r

and
r.a

This implies knowing
a

as quotient of roots

31

Verify knowing two roots


Bob sees one!
Otherwise becomes too smart


Challenge
c
= 0/1


Alice must give one root:


r


of
s



(
c
= 0)


r.a

of
s.b

(
c
= 1)



Oscar does not know both


Fails with Pr =
1
/
2
.

32

What does Bob learn?


Triple (
s
,
c
,
y
)

s

is random square





c

is random bit





y

solves
y
2

=
s . b

c



To generate such, choose





c

as random bit





y

as random number





s

as
y
2

/
b

c

33

How can it convince?


Compute order
s
,
c
,
y

: needs
a


Compute order
c
,
y
,
s

: don’t need
a



Protocol enforces
s
,
c
,
y



Transcript doesn’t show order.

34

Zero knowledge proofs


20 rounds: 1
-
in
-
million false acceptance


Similar:
e

th

root or logarithm


Also: Graph coloring



Use with blind signatures:


Bob proves blinded message is legal

35

Secret Sharing


Goal:
share holders

together

know
a


Shares handed out by
dealer



Share: related to
a


k

-
1 shares reveal nothing


k

shares reveal all

in
reconstruction

36

Concepts in Sharing


Use:


Bank, company


Nuclear heads


Digital money


Key escrow



How many shares


Veto


(split)


Threshold

(share)


Protection


Perfect


(poor!)


Verifiable



Actions with secret


Reconstruction


Use


37

Additive secret split


Dealing:


a
1

… a
k
-
1

random


a
k

=

a
-

a
1

-


-

a
k
-
1




a
k

is
no better


Reconstruction:


a

=
a
1

+ … +
a
k




Symmetric!



Shares cannot be recognized



Given
k
-

1 shares, every
a

is still possible



“Real Cryptography”:
Perfect

Split

38

Using shared exponent


Secret is exponent
a

(e.g., for RSA)

Shares:
a

=
a
1

+ … +
a
k



To compute
y

a
:


Shareholder
i

submits
x
i

=
y

a
i


Compute
x

=
x
1

. … .
x
k


Use of secret does not

compromise splitting

39

How perfect is perfect?


Shares cannot be recognized


Shareholders may
cheat


Verifiable reconstruction (hash
H

):


Compute
a
i

and
b
i

=
H

(
a
i
)


Give
a
i

to SH
i

and make
b
i

public


Verified reconstruction:


SH
i

submits
a
i


Check
H

(
a
i
) =
b
i

40

Dealer verifiable split


Number hash
H

(
a
) =
g

a


The dealer


Publish
b

=
g

a





Private share
a
i

(sum
a
)


Public share
b
i

=
g

a
i


Send
a
i

to SH
i



Verifiable shares


The shareholders


b

binds

dealer!



secret is recognizable



Verify product =
b


Verify
g

a
i

=
b
i



Reconstruction


Verify submissions

41

Perfect Secret Shares


Theorem: through
k

points runs exactly
one curve of degree
k

-

1


Dealing: select
a
1

through
a
k
-
1
,
a
0

=
a


f
(
z
) =
a
0

+
a
1
.
z

+ … +
a
k
-
1
.
z
k
-
1


Share
s
i

is
f
(
i
)


Reconstruction from
k

points:


polynomial interpolation

42

Verifiable Secret Sharing


Dealer:


Private

coefficients

a
0

through
a
k
-
1


Private

shares


s
i

=
f

(
i
)


Public


coefficients

b
i


=
g

a
i



Public


shares


p
i

=
g

s
i



Shareholders

s
i

=
a
0

+
a
1
.
i

+ … +
a
k
-
1
.
i

k
-
1



Global


p
i

=
b
0

.
b
1
i
.
b
2
i


. … .
b
k
-
1
i


Internal

g
s
i

=
p
i

k

-

1

2

43

Conclusions


Numbers as basis for cryptography


Most of cryptography is unproven


Results are often counterintuitive


“Elluk voordeel hep se nadele”